| Time |
Nick |
Message |
| 00:18 |
|
YuGiOhJCJ joined #luanti-dev |
| 02:06 |
|
MTDiscord joined #luanti-dev |
| 02:08 |
|
MTDiscord joined #luanti-dev |
| 02:11 |
|
MTDiscord joined #luanti-dev |
| 02:14 |
|
MTDiscord joined #luanti-dev |
| 03:48 |
|
Alias joined #luanti-dev |
| 04:00 |
|
MTDiscord joined #luanti-dev |
| 04:19 |
|
mrcheese left #luanti-dev |
| 04:35 |
|
YuGiOhJCJ joined #luanti-dev |
| 08:22 |
|
Warr1024 joined #luanti-dev |
| 08:47 |
|
Warr1024 joined #luanti-dev |
| 10:04 |
|
ivanbu joined #luanti-dev |
| 10:08 |
|
Farooq joined #luanti-dev |
| 10:32 |
|
Farooq joined #luanti-dev |
| 11:14 |
|
MTDiscord joined #luanti-dev |
| 11:32 |
|
Farooq joined #luanti-dev |
| 11:33 |
|
MTDiscord joined #luanti-dev |
| 11:52 |
|
jstein joined #luanti-dev |
| 12:06 |
[MatrxMT] |
<y5nw> Merging #17187 in 15m |
| 12:06 |
ShadowBot |
https://github.com/luanti-org/luanti/issues/17187 -- Do not send translation files without a language extension by y5nw |
| 12:29 |
sfan5 |
apparently our PPA does not yet have 5.16.1? @luatic |
| 12:32 |
|
Farooq joined #luanti-dev |
| 14:02 |
|
Farooq joined #luanti-dev |
| 15:22 |
|
Farooq joined #luanti-dev |
| 15:52 |
|
Farooq joined #luanti-dev |
| 18:50 |
sfan5 |
does anyone have any idea what we should do about debian+ubuntu not shipping a security fix after an entire month? shame them on twitter/mastodon? add a red banner on the downloads page? |
| 18:51 |
sfan5 |
https://ubuntu.com/security/CVE-2026-41196 "Needs evaluation" |
| 18:52 |
sfan5 |
https://security-tracker.debian.org/tracker/CVE-2026-40959 marked as "fixed" in the 5.10.0 package (which all stable version ship), but I can't find any indication at all that they backported the patch |
| 18:53 |
sfan5 |
I'll test if it's actually fixed in a moment |
| 19:00 |
sfan5 |
ok I appear to be wrong. they have backported the fix to 5.10 |
| 19:09 |
sfan5 |
ubuntu 24.04.3 has no "luanti" in repos and if you install "minetest" you get 5.6.1 🤯 |
| 19:11 |
sfan5 |
not patched, of course https://x0.at/e1Mx.txt |
| 19:13 |
sfan5 |
https://x0.at/uggB.txt 26.04 too |
| 19:17 |
sfan5 |
and 22.04 for completeness https://x0.at/Tdgi.txt |
| 19:21 |
sfan5 |
from the server list logs basically nobody is still using 5.10.0 |
| 19:22 |
cheapie |
sfan5: FWIW Debian has pages where you can see what patches they're applying: https://sources.debian.org/patches/luanti/5.10.0+dfsg-5+deb13u1/ |
| 19:25 |
sfan5 |
while 5.6.1 has about ~400 DAU (daily active users) specifically on Ubuntu |
| 19:25 |
sfan5 |
cheapie: I see. I checked the git repo they prepare releases in and couldn't find anything. |
| 19:27 |
cheapie |
Generally the packages.debian.org page for the package you're interested in is the place to start for things like this, it has a bunch of useful links along the right side: https://packages.debian.org/trixie/luanti |
| 19:28 |
cheapie |
"Debian Patch Tracker" is that one that lists the patches they're appling, "Developer Information" provides a page listing a whole bunch of information of varying utility, and most of the rest are fairly self-explanatory |
| 19:29 |
rubenwardy |
probably best to start be emailing the maintainers or making an issue on their trackers |
| 19:30 |
cheapie |
As far as I can tell, Debian is handling this as they intend to (backported the security fixes to the version in stable, and testing/sid have something almost up-to-date), Ubuntu needs some poking though |
| 19:32 |
sfan5 |
as a software project begging distributions to please protect their own users from RCE when they have already been informed is monumentally stupid |
| 19:33 |
cheapie |
Is there an RCE element to this? I was under the impression it's "only" privilege escalation, not that that's an excuse to not fix it |
| 19:34 |
sfan5 |
that's stretching it a bit. the exploitation path is "download malicious mod -> run singleplayer -> oops" |
| 19:36 |
cheapie |
Which sounds like privilege escalation (you intentionally run code and then it can do something it's not supposed to be able to do), as opposed to RCE which I'd expect to be something more like "connect to malicious server -> oops" |
| 19:36 |
cheapie |
(or "be connected to by malicious client -> oops") |
| 19:38 |
cheapie |
I guess it doesn't really matter what it's called though, Ubuntu needs to fix it either way |
| 19:46 |
sfan5 |
it matters to not cause unnecessary panic. so let's not call it an RCE |
| 22:33 |
|
panwolfram joined #luanti-dev |
| 22:47 |
|
YuGiOhJCJ joined #luanti-dev |
